Apple on Wednesday issued an update for the Mac OS X which addresses 18 vulnerabilities, some of which can an attacker to execute arbitrary code or obtain sensitive information.
The fixes were part of a larger system update to Mac OS X Leopard version 10.5.8, available for the Mac OS X versions 10.4.11 and 10.5 through 10.5.7. The vulnerabilities affect numerous applications and some could enable an attacker to cause a denial-of-service, bypass security functions and operate with escalated privileges, according to an advisory posed on US-CERT Thursday.
Peter James, spokesman at Mac security firm Intego, told SCMagazineUS.com on Thursday that this is an “average” security update.
“Nothing suggests that there is a huge threat or that there is code out there that would allow these vulnerabilities to be exploited,” James said.
A number of the bugs involve the way certain applications handle image files. Because of these issues, an attacker could send a user a maliciously crafted image file that would cause the application to terminate or arbitrary code to execute, according to Apple’s security release notes.
“Images are one of the things that have issues,” James said. “It’s one of the areas that’s often fixed in these security updates.”
Two of the vulnerabilities in the batch are atypical because they could be exploited only if someone had physical access to the device, James said.
One of those issues affects Mac computers that have a multitouch trackpad, which enables users to control the mouse and execute commands with more than one finger. Because of an issue in the software that controls the trackpad, someone with physical access to the device could bypass a screen saver lock without entering the password, by executing the correct finger movements.
“It’s interesting because it’s so different than the type of security fixes we usually hear about,” James said.
Another vulnerability that could be exploited physically is part of MobileMe, a program used to sync emails, contacts and calendar events on multiple Apple products. The program does not properly erase login credentials when the user logs out, enabling someone with physical access to a device to get into a user’s MobileMe account.
“It’s a physical access thing — not the kind of thing where a trojan would exploit a hole in an application,” James said.
Apple did not respond to a request for comment Thursday.